Synopsys releases findings of report
into open source risk management
ynopsys Inc has released the
2019 Open Source Security and
Risk Analysis (OSSRA) report.
The report, produced by the Synopsys
Cybersecurity Research Center (CyRC),
examines the results of more than 1,200
audits of commercial applications and
libraries, performed by the Black Duck
Audit Services team.
S
The report highlights trends and
patterns in open source use, as well
as the prevalence of both insecure
open source components and license
conflicts. As shown in the report, many
of the trends in open source use that
have presented risk management
challenges to organisations in previous
years persist today. However, the data
also suggests that an inflection point has
been reached, with many organisations
improving their ability to manage open
source risk, possibly due to heightened
awareness and the maturation of
commercial software composition
analysis solutions.
“Open source plays an increasingly vital
role in modern software development
and deployment, but to realise its value
organisations need to understand and
manage how it impacts their risk posture
from a security and license compliance
perspective,” said Tim Mackey, Principal
Security Strategist of the Synopsys
Cybersecurity Research Center.
“The 2019 OSSRA report provides a
glimpse into the state of open source
risk management within commercial
applications. It shows that there are still
significant challenges, with the majority
of applications containing open source
security vulnerabilities and license
conflicts. But it also highlights that these
challenges can be addressed, as the
number of open source vulnerabilities
and license conflicts have declined from
the previous year.”
Some of the most noteworthy open
source risk trends identified in the 2019
OSSRA report include:
• There has been a significant uptick
in open source adoption. A total of
96% of codebases audited in 2018
contained open source components,
with an average of 298 open
source components per codebase
compared to 257 in 2017.
• Open source license conflicts
can put intellectual property at
risk. A total of 68% of codebases
contained some form of open source
license conflict and 38% contained
open source components with no
identifiable license.
• The use of ‘abandoned’ components
is common. A total of 85% of
codebases contained components
that were more than four years out-
of-date or had no development in
the past two years. If a component
is inactive and no one is maintaining
it, that means no one is addressing
its potential vulnerabilities.
• Many organisations are failing
to patch or update their open
source components. The average
age of vulnerabilities identified in
2018 Black Duck Audits was 6.6
years, slightly higher than 2017
– suggesting remediation efforts
haven’t improved significantly.
• Not all vulnerabilities are created
equal, but many organisations aren’t
even addressing the riskiest ones.
Over 40% of codebases contained
at least one high-risk open
source vulnerability. u
Tim Mackey, Principal Security Strategist of
the Synopsys Cybersecurity Research Center
www.intelligentciso.com
|
Issue 14
61